Solved: Re: Help In Configuring ASA

Ron Timbang · ‎02-28-2013

Hi Guys,

Good day!

Need your kind assistance in configuring ASA . Currently users can connect using VPN client. Users can access our local servers. The problem is vpn user cannot connect to servers that are located on our other site connected via site-to-site VPN. Do I need to configure static routes so the ASA knows how to route remote vpn users to our other site.

Thank you in advance . I have attaced a diagram for reference.

Richard Burts · ‎02-28-2013

Ron

There is not enough information here for us to be sure. But my first guess at your problem is that by default an ASA will not forward traffic back out the interface on which it arrived. So if your vpn user traffic comes in the interface named outside, then it will not forward that traffic back out interface outside. But that is probably where your site to site traffic goes. The way to solve this is to use the command that allows traffic same-security intra interface.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎02-28-2013

Ron

There is not enough information here for us to be sure. But my first guess at your problem is that by default an ASA will not forward traffic back out the interface on which it arrived. So if your vpn user traffic comes in the interface named outside, then it will not forward that traffic back out interface outside. But that is probably where your site to site traffic goes. The way to solve this is to use the command that allows traffic same-security intra interface.

HTH

Rick

HTH

Rick

Ron Timbang · ‎02-28-2013

Hi Sir Richard,

Thank you for the information. I got your point thanks alot! Please let me know the details on how to configure this. I am researching for a week now & I was able to read topic on "vpn hair pinning". Is this the same concept? But the topic is very hard for me since I only have basic knowledge on Cisco ASA.

Is there a way to do this on ASDM?

Thank you very much Sir..

smetieh001 · ‎02-28-2013

Hi Ron,

I agree with Richard, just wanted to add that you should also ensure the client's IP subnet is permitted through the site to site tunnel.

Ron Timbang · ‎02-28-2013

Hi Sir,

Thank you for the information I already coordinated to the other site to allow client's IP subnet. Do you have an idea on what specific commands I need to configure ? Thank you..

Richard Burts · ‎03-01-2013

Ron

The command that you need is

same-security-traffic permit intra-interface

you might also want to use

same-security-traffic permit inter-interface

For more information you might try this link

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html#wp1039276

HTH

Rick

HTH

Rick

Ron Timbang · ‎03-06-2013

Hi Sir,

Thank you for the information I have check the command & followed a guide on the link below.

(MAIN SITE)

Step 1: Add the Subnet of the Remote Site to the "Split Tunnel" for the remote VPN -done

Step 2: Turn On Hair Pinning -done

Step 3: Add the "Remote VPN Network" to the EXISTING site to site VPN on the Main Site. -done

(REMOTE SITE)

Step 4: Add a NAT Exemption on the Remote Site ASA

Step 5: Add the Remote VPN Pool to the EXISTING Site to Site VPN Access List

Details is on this link: http://www.petenetlive.com/KB/Article/0000040.htm

How can I check If my counter part already did step 4 & 5. Can it be seen on cisco asa packet trace. please see result.

Again thank you sir for your support.

Ron Timbang · ‎03-07-2013

Hi Sir Burts ,

Today I can now telnet to the site on port 80. & packet trace is successful from ASA.

But still cannot access the site.. Ping also fails. Does it mean that the problem is with the remote site?

Thank you..

Richard Burts · ‎03-08-2013

Ron

I am not clear whether you are saying that these are issues when you are in a VPN session or are these problems in general. Clarification would be appreciated.

HTH

Rick

HTH

Rick

Ron Timbang · ‎03-07-2013

Hi ,

Today I can now telnet to the site on port 80. & packet trace is successful.

But still cannot access the site.. Ping also fails. Does it mean that the problem is with the remote site?

Thank you..

Ron Timbang · ‎03-11-2013

Hi Sir Burts / Guys,

I am now able to access the site. Thank you very much for the help.

Problem is not now that I can access it using vpn-client but cannot access on ssl-web vpn. Any ideas?

I think i need to create another dicussion for this topic.

Thank you.

Richard Burts · ‎03-11-2013

Ron

My first guess would be to ask if the address used as the source address for access when using ssl-web is different from the address assigned to clients for access. Assuming that they are different I would then guess that the access rules that allow client access do not permit access for the address used by ssl-web.

Perhaps a new discussion for this question would be appropriate.

HTH

Rick

HTH

Rick

Ron Timbang · ‎03-11-2013

Hi Sir Burts,

I already check ip address & pool is same woth vpn client. Please let me know if you have ideas on how to troubleshoot this issue. Again thank you.

Please see link for the new discussion.

https://supportforums.cisco.com/message/3879617#3879617